cyber security 4.0 conference 30 november 2016
TRANSCRIPT
O u r W o r kDanish Institute of Fire and Security Technology
S O C I A L E N G I N E E R I N G
C Y B E R I N V E S T I G A T I O N I T F O R E N S I C S
P H Y S I C A L & E L E C T R O N I C
S E C U R I T Y
Future of Social EngineeringCurrent trends and future expectations on the phenomenon of Social Engineering.
Dogana3-year EU project with the aim of developing next generation Social Engineering attacks and mitigation methods.
Project SAVENational R&D project for The Royal Danish Defence College (FAK) on Social Engineering 2.0.
OverviewPresentation
01 02 03
Social Engineering
”Social Engineering is the art of getting someone to do something, they would not otherwise do – using psychological manipulation ,,
DEFINITION
Socia l Engineer ing Attack CycleSE Attack Cycle
SECycle
Execute attack by requiring the target to conduct an action, the target would not otherwise do.
3. Attack
Employing an exit strategy is typicallyonly required if the target is to be leftunsuspecious or if the attackers expectadditional contact with the target in the future.
4. Exit
Conduct the necessary research to understand the target at hand.
1. Reconnaissance
Initiate contact with the target based on the insights gained from the
reconnaissance phase.
2. Contact
Social Engineering 2.0
Social Engineering has evolved from the physical domain as a platform for elication of information to employing cyberspace as the new battleground. With new means of communications between individuals comes new attack vectors for the social engineer, including: phishing emails, smishing, CEO Fraud, Ransomware, etc.
NEW METHODS
P r o j e c t S A V E :Social Vulnerabil ity &
Assessment Framework
R&D for The Royal Danish Defence College
P r o j e c t S A V ENational Project
National project developed for the Royal Danish Defence College with the purpose of uncovering the threat of Social Engineering against critical national infrastructure (CNI) in Denmark.
• Development of advanced OSINT methods, deception planning and SE 2.0 attacks.
• Execution of simulated attacks against three companies that are directly part of, or supports, critical national infrastructre.
• The purpose is to uncover how vulnerable CNI is to Social Engineering 2.0 attacks and disseminatethe results of the study.
SAVE: Reconnaissance
• Crawling of email addresses• Social media personality profiling (sentiment analysis)• Social Network Analysis (SNA)• Systemic network footprinting (Maltego, metadata)• Darknet investigation for leaked/sold information
ReconnaissanceProject SAVE
• Crawled from the companies’ own websites
• Crawled from open sources• Indexed results from Google• Indexed documents
Email crawling:
ReconnaissanceProject SAVE
• Crawled content targets’ facebook profiles• Coded a script• Emulated human browsing with Selenium to avoid crawling
countermeasures
• Conducted sentiment analyses of the content using a ‘bag of words’ approach
• Based on the sentiment analyses we categorized the users’ in the ‘Big Five’ personality framework
Sentiment Analysis & Personality Profiling:
ReconnaissanceProject SAVE
• Systematic analysis of information sold on Darknet
• Correlated sold information on +45 darknet markets for the involved companies in the study
• We could not request information
Darknet Investigation Methods:
Reconnaissance Resul tsProject SAVE
• ID layout for business deals• ID of stakeholders and voting rights within the organisation• ID of critical database system and how to access it• ID of complete guide to the database• ID of users with access to the database• Full list of emails and phone numbers
Critical Results from the Recon Phase:
Reconnaissance Resul tsProject SAVE
• ID of useful information from metadata, incl. long list of software in use
• Design of Guest ID Card• Social network analysis revealed critical nodes within the
company network, which were highly interconnected, makingthem ideal targets for a SE attack
Critical Results from the Recon Phase:
• Phishing emails• Spear-phishing emails• Credential harvesting• Whaling• Smishing• Evil USB• PDF attack
SAVE: Attack Vectors
Executed AttacksProject SAVE
Three companies that are either directly, or support, critical infrastructure in Denmark participated.
Objective is to target CNI
Complete cyber reconnaissance of the companies and select employees.
Conduct Cyber Reconnaissance
A total of 185 SE 2.0 attacks were executed as part of the field trial testing.
185 social engineering 2.0 attacks
Vector
Target#1
Target#2
Target#3
Spear-Phishing
3
1
3
Whaling
1
1
3
ConventionalPhishing
2
4
146
Smishing
3
5
9
USBAttack
0
0
3
PDFattack(follow-up)
1
2(3)
0
Aggregated Resul tsProject SAVE
47 pct. of all executed SE 2.0 attacks were successful
in convincing the targets to click on phishing links or execute a file. Criteria for success was dependent on the registration of the attempt on our web server log.
Successful Attacks
A little more than half of all executed attacks were
unsuccessful in the study. From qualitative interviews with some of the targets, we can conclude that minor details in the wording, the sender spoofed, and/or lack
of information (e.g. a phone number in the email) were the reasons behind their lack of trust in the email.
Failed Attempts
47%
53%
47%
53%
Success Rate of SE 2.0 Attacks
D o g a n a :Advanced Social Engineering and
Vulnerabil ity Assessment Framework
R&D For The EU Commission
The Dogana Consort iumThe Dogana Project
18 partners from 11 countries in a 3-year Horizon 2020 project about advanced Social Engineering 2.0.
Partners
http://www.dogana-project.eu
The Dogana Project
Developing a next generation platform for social vulnerability assessment via simulated attacks.
Next Generation SE Attacks
Using innovative awareness methods to mitigate the risk of social engineering.
Innovative Awareness Methods
Full scale field trial testing of the platform, testing +1,000 of employees to evaluate the recon, attack and awareness phases.
Full Scale Field Trials
http://www.dogana-project.eu
Overview of Dogana
Dogana Plat formThe Dogana Project
End2End platform, which embodies both advanced reconnaissance methods for uncovering the digital shadow of targets as well as psychological profiling.
End-to-End SE Platform
The advanced recon methods are integrated into a one-stop platform where full assessment of targets can be conducted.
Adv. Recon and Assessment of Targets
The platform integrates social engineering 2.0 attackvectors, thus becoming a holistic attack solution for conducting socially driven vulnerability assessments of companies.
Integrated SE 2.0 attacks
http://www.dogana-project.eu
Innovat ive Awareness MethodsThe Dogana Project
Gamification is the concept of using serious games as a delivery method for improving the securityconsciousness of the recipients.
Gamification
Serious games are interactive and can be either single-or multi-player. Serious games can prove to be more effective than conventional learning methods.
Interactive learning
2 min. of playing a game every day for six months contra spending 6 hours at a frontal lecture once every sixth month. Which has the greatest impact in maintaining security consciousness for the recipient over time?
Less is more
http://www.dogana-project.eu
Introducing SNAP_RFuture of SE
SNAP_R auto-analyses and selects targets, and generates proper and relevant responses to tweets, which inclulde a phishing link.
Aut. E2E Spear Phishing on Twitter
It utilizes deep learning for analysing data from users and data about users, in order to select the most susceptible targets to spear phishing attacks.
Neural Network / Deep Learning
Given that grammatical errors are widely accepted on twitter, that the tweet is limited to 140-characters and that URLs are almost always shortened, the SNAP_R gets away with most of the obstacles of machine learning for automated spear phishing attacks.
Deception through Obfuscation
Introducing SNAP_RFuture of SE
SNAP_R is up to five times as effective compared to other automated spear phishing bots, which typically has a success rate ranging from 5% to 14%. However, SNAP_R reports success rates ranging from 30% and 66%. Manually constructed spear phishing attacks has an average success rate of 45%.
5x More EffectiveSNAP_R is open source and available for everyone to test. The script can be found on Github:
https://github.com/getzerofox/SNAP_R
Open Source
Example
IoT RansomwareFuture of SE
IoT ransomware is no longer hypothetical. We foresee a development in ransomware attacks moving to IoT as soon as more standards are implemented in the making of IoT devices.
Internet of Things Ransomware
When all of your devices become connected to the Internet, ransomware attacks will be able to move from focusing on locking access to data to locking access to your actual devices.
From Digital to Physical Lockdown
• Your Smart Car• Your Smart Home• Pacemakers• Hospital Equipment• Real Examples: Smart Thermostat & Smart TV
Examples